ACH (which includes direct deposit) has an inch or 1½" rulebook that is published & updated every year. Just like with Congress or your state legislature, some years there is hardly any change & some years there is a significant change (on the nature of Obamacare or the tax law changes that went into effect this year; not a total rewrite.)
The rulebook contains everything from technical (file layouts, file timings, etc.) to the more ‘businessey’ rules (required paperwork, audit schedule, etc.)
ACHs can flow money both ways, both as a credit to you (direct deposit) or as a debit from you (when you authorize a utility, credit card, car loan, mortgage, etc to pull money from your account). For any debit, the other bank (ODFI) must retain proof, whether that’s a written form, copy of your clicks on their website &/or a recording of your call into their automated phone system.
As stated above, bank account information is not, nor was it intended to be secure. Anyone who has your bank account information, including the nephew you write a birthday check to could either print their own check with your information or initiate an ACH against your account.
ACHs can be returned for different reasons & there are very specific return codes you use for each reason (about 70 unique return reasons), including but not nearly limited to:
[ul]
[li]NSF - (Non-Sufficient Funds)[/li][li]Acct Closed[/li][li]Invalid Acct #[/li][li]Not Authorized[/li][/ul]
Financial Institutions (FIs) are limited to the percentage of returns they are allowed, with an even lower threshold for ‘Not Authorized’ returns so it’s in their best interest to keep these returns low; otherwise they can be fined, or eventually barred from the ACH network.
If you see an unauthorized transaction (including wrong amount / more than you agreed to) contact your bank. You’ll probably be required to fill out a form; maybe in person, maybe via email, maybe online (that depends upon your bank) attesting that you didn’t authorize the txn; either at all, or for that amount, etc. Your bank will then go back to the other bank &, per the rules, demand to see the authorization for that txn. If the other bank can produce it & everything is valid, then the charge stays in your account (maybe you forgot you filled out that form when you signed all of the new car paperwork). If not, the funds are returned to you & the other bank has a strike against them. Just like in baseball, one strike isn’t a big deal, but enough of them & you’re out!
If I’m your dastardly, no-good-nephew who takes the information on the bottom of your birthday check to me & uses that to pay my utility bill, the credit to the electric/gas/water company will be reversed so I did’t gain anything in the end. If I do that once, probably no big deal, I’ll have a black mark on my customer profile w/in the bank; maybe my account will be closed. However, if I do it often enough or for large enough amount of money, I could expect some people with guns & badges to offer me some jewelry & a photo shoot.